Big Bucket records retention schedules (RRS) are common practice in the Records and Information Management (RIM) industry. The Big Bucket approach involves grouping records together based on similar business processes and events to the greatest extent possible. Routine records are classified separately. Implementing a Big Bucket approach means that duplication and overlapping between business areas are reduced, resulting in a simplified schedule that will increase adherence and compliance. Many organizations favor this schedule method for many reasons, but mostly because it’s simple. As with any schedule design, Big Bucket schedules can have hang-ups. Lately, RIM professionals have started reviewing their schedules with a focus on privacy. In particular, the upcoming enforcement of the European Union (EU) General Data Protection Regulation (GDPR). The regulation generally requires that personally identifiable information (PII) be retained for no longer than needed. In addition, many international jurisdictions have passed laws requiring certain types of PII be retained no longer than a defined period.
When organizations review retention periods with privacy in mind, a common knee jerk reaction is to think the Big Bucket approach is too big. How can we possibly satisfy all the legal/privacy requirements and restrictions, as well as operational and business needs with one single retention period?
Fear not. I am here to tell you that the Big Bucket approach will survive. It is still the best retention schedule approach available, but there’s room for improvement when it comes to privacy. Here are a few strategies to address privacy for your Big Bucket RRS:
- Privacy Mapping: Scrutinize your record series and identify records with personally identifiable information (PII). Consider evaluating them through a risk analysis by focusing on those record series with highest privacy risks (think employee and customer PII, for example). Be sure your analysis includes functions, record series, and specific records that contain personally identifiable information (PII). You’ll likely need to engage with stakeholders within your organization to accomplish this.
- Collection Purpose Review: As part of your analysis, try and gain an understanding of how or why that PII is used. This information will help you assess retention periods.
- Review Legal Requirements & Restrictions: RRS retention periods used to be about how long you should keep records. Now, an equally important part of that analysis considers how quickly PII records should be disposed of. When working through your Big Bucket approach, be sure to consider how you need to dispose of these records and implement a plan for how to do so.
With information gathered through steps 1-3, you can begin to review whether the current retention periods are reasonable. You can address record series that pose problems in the following ways:
- De-Consolidate: Separate out highly regulated types of PII. Internationally, and increasingly in the U.S., this includes CCTV footage and applications of non-hired employees. Maintain these records at a shorter retention period consistent with privacy restrictions.
- Reassess the Schedule Baseline: Many international Big Bucket RRS are built to cater to U.S. regulations. But there might be opportunities to reduce retention periods by checking business and/or operational needs. Determine if retention periods can be reduced, particularly for those high-risk PII record series. There may be instances where it makes sense to create an exception for the U.S.
- U.S. and International /E.U. Hybrid Schedule: For identified record series, consider creating separate retention period baselines for U.S./International, and EU. This may be a temporary fix for your organization The U.S., Asia, and rest of the world are quickly catching up with new privacy laws.
Updating your Big Bucket RRS to meet privacy requirements may seem unmanageable. But, it is doable and necessary; It just requires the right strategy and approach. With guidance from key stakeholders, including your organization’s privacy officer or a privacy professional, your retention schedule will survive and you can keep the Big Bucket retention schedule alive.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.